Chrome Web Store · MV3 · Zero Backend · Gemini-Powered

Stoppromptinjection.BeforeitreachesyourLLM.

Sentiency detects, classifies, and remediates adversarial AI content in real time — directly in your browser. No servers. No telemetry. No compromise.

Add to ChromeView on GitHub
FreeNo account requiredNo data leaves your device
Manifest V3Zero telemetry6 enginesGemini JSON100% local
Scroll
0
Detection engines
0
Backend servers
0%
Local analysis
0
LLM platforms
0
Retry resilience
Detection Engines

Six engines.
One shield.

Every vector of prompt injection is covered — from hidden DOM text to clipboard payloads, image steganography, and multi-turn session manipulation.

DOM

DOM Engine

Watches every DOM mutation with a MutationObserver. Isolates visually hidden text — zero-size fonts, opacity 0, offscreen elements — and runs the full threat pipeline before users interact.

4,000+nodes analyzed
250ms debounce · MutationObserver · Subtree scanning
CLIPBOARD

Clipboard Guard

Intercepts every paste event before content reaches its destination field. Handles plain text and image pastes alike. Blocks, sanitizes, or passes through based on threat classification.

8char minimum
beforeinput · paste capture · image files
COPY

Copy Scanner

Fires on the native copy event and scans selected text exceeding the minimum threshold. Warns you when adversarial content has been silently copied from a compromised page.

20char threshold
copy capture · selection.toString()
SESSION

Session Monitor

Active on ChatGPT, Claude, Gemini, and other LLM platforms. Observes assistant streaming, waits for message stability, then runs single-turn and trajectory analysis over a sliding window.

12turn window
Crescendo · Deceptive Delight · in-session protocol
IMAGE

Image Analysis

Sends clipboard image pastes and sidebar uploads to Gemini's multimodal endpoint. Extracts visible text, detects injections embedded in screenshots, diagrams, or documents.

4MBmax image size
inlineData · mimeType · OCR + classify
SCAN

Manual Scan

Right-click any selection and choose 'Scan selection with Sentiency', or use the keyboard shortcut. Works on any page, any text, without waiting for automatic triggers.

On-demandany page
context menu · ⌘⇧S · getSelection()
Threat Pipeline

Every threat.
One pipeline.

Six deterministic stages transform raw text or image data into a classified, severity-scored, remediated threat object — in milliseconds.

01

Input Detection

Text enters the pipeline from any of the 6 engines — DOM mutation, clipboard paste, copy event, session stream, image OCR, or manual scan. Each carries metadata: source engine, page URL, tab ID.

DOMCLIPBOARDSESSIONCOPYIMAGESCAN
analyzeText(text, source, options)
02

Local Heuristics

Four fast, zero-network detectors run in parallel: unicode anomaly scanning (zero-width chars, homoglyphs), instruction pattern matching with keyword + imperative regex, encoding detection (base64, char arrays, Morse), and visibility analysis.

UnicodeInstruction PatternEncodingVisibility
Promise.all([unicode, instruction, encoding])
03

Gemini Classification

If local heuristics fire, text exceeds 150 chars, the source is CLIPBOARD or SCAN, or forceClassifier is set — a structured prompt is sent to Gemini. The model returns a JSON object with injection_detected, confidence, attack_class, technique, injection_spans, reasoning.

gemini-3.1-flash-lite-previewJSON schema3× retry
callGemini(buildSingleTurnPrompt(text))
04

Threat Confirmation

A threat is confirmed when Gemini signals injection with confidence ≥ threshold (default 0.65), OR when the instruction suspicion score alone exceeds 0.8 — ensuring high-confidence local finds cannot be suppressed by a weak LLM response.

threshold: 0.65suspicion ≥ 0.8multi-signal merge
confirmed = (gemini && conf ≥ threshold) || suspicion ≥ 0.8
05

Taxonomy + Severity

Confirmed threats are mapped to a hierarchical CrowdStrike-style taxonomy (attack class → technique). Severity is scored from confidence bands: CRITICAL ≥ 0.9, HIGH ≥ 0.75, MEDIUM ≥ 0.6, LOW otherwise. Unicode + encoding co-occurrence bumps severity one tier.

CRITICALHIGHMEDIUMLOW
mapToTaxonomyPath(class, technique)
06

Persist & Notify

The threat object is persisted to chrome.storage.local (max 100 entries, newest-first). The service worker receives THREAT_DETECTED and updates the badge with count and severity color. The content script fires remediations and updates the in-page UI.

chrome.storage.localbadgeremediation
persistAndBroadcastThreat(threat)
Detection Methods

Local speed.
LLM depth.

Heuristic detectors run instantly in-page. Gemini classification provides semantic depth for ambiguous or obfuscated payloads. Both signals are merged with a configurable confidence gate.

Local Heuristics

Zero network · parallel · <2ms total

visibility-analyzer~0.3ms

Flags hidden elements: display:none, visibility:hidden, opacity 0, sub-pixel fonts, fg/bg color match, clip-path, offscreen positioning, zero-size boxes with text.

unicode-detector~0.1ms

Scans for zero-width characters, homoglyph substitutions, and other Unicode anomalies that can hide text from human view while remaining readable to LLMs.

instruction-pattern~0.2ms

Substring scan over INSTRUCTION_KEYWORDS plus imperative regex. Produces a suspicion score in [0, 1]. A score ≥ 0.8 can confirm a threat even without strong Gemini confidence.

encoding-detector~0.4ms

Heuristics for base64-like blobs, char-array obfuscation, Morse-like patterns, and other encoding schemes used to hide payload text from naive scanners.

obfuscation-unwrapper~0.5ms

Uses encoding findings to decode obfuscated strings back to plaintext before Gemini classification — ensuring the classifier sees the actual attack content.

Gemini Classification

gemini-3.1-flash-lite-preview · temp 0.1 · 3× retry

// Response schema
{
  injection_detected: boolean,
  confidence: float [0,1],
  attack_class: string,
  technique: string,
  injection_spans: array,
  intent: string,
  reasoning: string,
}
injection_detected

Primary signal: is this a prompt injection?

confidence

Probability estimate. Threshold: 0.65 by default.

attack_class

Taxonomy class: e.g. Indirect Prompt Injection, Prompt Hijacking.

technique

Specific technique: CSS Concealment, Crescendo, Deceptive Delight, etc.

injection_spans

Character-level spans [start, end] localizing the malicious content.

intent

Inferred adversarial goal: data exfiltration, instruction override, etc.

reasoning

Chain-of-thought explanation for the classification decision.

Threat Taxonomy

A classification
for every attack.

Hierarchical threat taxonomy maps Gemini output to named attack classes and techniques — from CSS concealment to Crescendo multi-turn attacks.

Severity bands
CRITICALconfidence ≥ 0.90
HIGHconfidence ≥ 0.75
MEDIUMconfidence ≥ 0.60
LOWconfidence < 0.60

Indirect Prompt Injection

CSS Concealment

Hidden via font-size, opacity, color match

DOM Injection

Injected as text nodes, data attributes

Metadata Embedding

In alt text, title, aria-label

Prompt Hijacking

Instruction Override

Ignore/forget all previous instructions

Role Jailbreak

Impersonate a different AI persona

System Prompt Extraction

Elicit system prompt via prompting

Multi-Turn Manipulation

Crescendo

Gradual escalation across conversation turns

Deceptive Delight

Benign lead-in before malicious payload

Protocol Setup

In-session rules established for later exploitation

Encoded Injection

Base64 Encoding

Payload encoded to evade simple keyword scan

Char Array Obfuscation

String split into character arrays

Unicode Steganography

Zero-width chars, homoglyphs

Visual Injection

Image Text Embedding

Instructions embedded in screenshots or docs

OCR Exploitation

Content readable by AI vision but hidden to users

Data Exfiltration

Exfil via URL

Crafted link encodes stolen context as params

Covert Channel Setup

Establishes covert output encoding for later reads

Security Architecture

Built for your
browser. Not
their servers.

A security tool that is itself a privacy risk adds no value. Sentiency was designed from the ground up to keep all data local.

No backend. Ever.

Sentiency has no server infrastructure. There is no API to compromise, no data warehouse to breach. The entire detection pipeline runs inside Chrome's renderer process.

Local-first storage

All settings, threat logs, and session history are stored in chrome.storage.local — on your machine, under your control, never synchronized to any external service.

Minimal network footprint

The only outbound connection is to the Gemini API with your own key. No analytics, no telemetry, no beacons. You control the key; you control the data.

Shadow DOM isolation

The in-page UI is mounted in a Shadow DOM with extracted CSS, preventing page styles from leaking in or extension styles from leaking out. No class conflicts, no visual contamination.

Manifest V3 architecture

Built on Chrome's latest extension platform. Service workers replace persistent background pages, reducing resource usage and attack surface. All permissions are declared upfront.

manifest.json permissions
activeTab

Access current tab content on user action

scripting

Inject content scripts programmatically

storage

Local settings and threat log persistence

clipboardRead

Intercepting paste operations

clipboardWrite

Sanitizing clipboard content on block

sidePanel

Threat log and settings side panel

tabs

Badge + session cleanup on tab close

contextMenus

Right-click scan selection

host_permissions
<all_urls>https://generativelanguage.googleapis.com/*

All-URLs access required for content script. Generative Language API for Gemini classification only.

Get Started

Add to Chrome.
Stay protected.

Install from the Chrome Web Store or build from source. Open-source and free forever — bring your own Gemini API key. No account, no subscription, no data collection.

Add to ChromeView source
Free and open sourceMIT licenseNo telemetry
installation guide
$ git clone https://github.com/desenyon/sentiency.git
$ npm install && npm run build
# → output in dist/
01

Open Chrome and navigate to chrome://extensions

02

Enable Developer mode in the top-right corner

03

Click "Load unpacked" and select the dist/ directory

04

Open Settings and add your Gemini API key

05

Protection activates immediately on all tabs

Requires a Gemini API key (free tier available)